[apparmor] [PATCH v2 38/42] libapparmor: Move the aa_kernel_interface API
Tyler Hicks
tyhicks at canonical.com
Fri Mar 6 21:48:54 UTC 2015
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
libraries/libapparmor/include/sys/apparmor.h | 23 ++
libraries/libapparmor/src/Makefile.am | 2 +-
libraries/libapparmor/src/kernel_interface.c | 393 ++++++++++++++++++++++++++
libraries/libapparmor/src/libapparmor.map | 11 +
parser/Makefile | 7 +-
parser/kernel_interface.c | 395 ---------------------------
parser/kernel_interface.h | 50 ----
parser/parser.h | 3 +-
parser/parser_interface.c | 2 +-
parser/parser_main.c | 1 -
parser/parser_policy.c | 2 +-
11 files changed, 434 insertions(+), 455 deletions(-)
create mode 100644 libraries/libapparmor/src/kernel_interface.c
delete mode 100644 parser/kernel_interface.c
delete mode 100644 parser/kernel_interface.h
diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
index 34507e4..f7ff1a7 100644
--- a/libraries/libapparmor/include/sys/apparmor.h
+++ b/libraries/libapparmor/include/sys/apparmor.h
@@ -116,6 +116,29 @@ int aa_features_write_to_file(aa_features *features, const char *path);
bool aa_features_is_equal(aa_features *features1, aa_features *features2);
bool aa_features_supports(aa_features *features, char *str);
+typedef struct aa_kernel_interface aa_kernel_interface;
+int aa_kernel_interface_new(aa_kernel_interface **kernel_interface,
+ aa_features *kernel_features,
+ const char *apparmorfs);
+aa_kernel_interface *aa_kernel_interface_ref(aa_kernel_interface *kernel_interface);
+void aa_kernel_interface_unref(aa_kernel_interface *kernel_interface);
+
+int aa_kernel_interface_load_policy(aa_kernel_interface *kernel_interface,
+ const char *buffer, size_t size);
+int aa_kernel_interface_load_policy_from_file(aa_kernel_interface *kernel_interface,
+ const char *path);
+int aa_kernel_interface_load_policy_from_fd(aa_kernel_interface *kernel_interface,
+ int fd);
+int aa_kernel_interface_replace_policy(aa_kernel_interface *kernel_interface,
+ const char *buffer, size_t size);
+int aa_kernel_interface_replace_policy_from_file(aa_kernel_interface *kernel_interface,
+ const char *path);
+int aa_kernel_interface_replace_policy_from_fd(aa_kernel_interface *kernel_interface,
+ int fd);
+int aa_kernel_interface_remove_policy(aa_kernel_interface *kernel_interface,
+ const char *fqname);
+int aa_kernel_interface_write_policy(int fd, const char *buffer, size_t size);
+
__END_DECLS
#endif /* sys/apparmor.h */
diff --git a/libraries/libapparmor/src/Makefile.am b/libraries/libapparmor/src/Makefile.am
index a43109d..86996dd 100644
--- a/libraries/libapparmor/src/Makefile.am
+++ b/libraries/libapparmor/src/Makefile.am
@@ -48,7 +48,7 @@ af_protos.h: /usr/include/netinet/in.h
lib_LTLIBRARIES = libapparmor.la
noinst_HEADERS = grammar.h parser.h scanner.h af_protos.h private.h
-libapparmor_la_SOURCES = grammar.y libaalogparse.c kernel.c scanner.c private.c features.c
+libapparmor_la_SOURCES = grammar.y libaalogparse.c kernel.c scanner.c private.c features.c kernel_interface.c
libapparmor_la_LDFLAGS = -version-info $(AA_LIB_CURRENT):$(AA_LIB_REVISION):$(AA_LIB_AGE) -XCClinker -dynamic -pthread \
-Wl,--version-script=$(top_srcdir)/src/libapparmor.map
diff --git a/libraries/libapparmor/src/kernel_interface.c b/libraries/libapparmor/src/kernel_interface.c
new file mode 100644
index 0000000..f142b8d
--- /dev/null
+++ b/libraries/libapparmor/src/kernel_interface.c
@@ -0,0 +1,393 @@
+/*
+ * Copyright (c) 2014
+ * Canonical, Ltd. (All rights reserved)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of version 2 of the GNU General Public
+ * License published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, contact Novell, Inc. or Canonical
+ * Ltd.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <sys/apparmor.h>
+
+#include "private.h"
+
+#define DEFAULT_APPARMORFS "/sys/kernel/security/apparmor"
+
+struct aa_kernel_interface {
+ unsigned int ref_count;
+ bool supports_setload;
+ int dirfd;
+};
+
+/**
+ * find_iface_dir - find where the apparmor interface is located
+ * @dir - RETURNs: stored location of interface director
+ *
+ * Returns: 0 on success, -1 with errno set if there is an error
+ */
+static int find_iface_dir(char **dir)
+{
+ if (aa_find_mountpoint(dir) == -1) {
+ struct stat buf;
+ if (stat(DEFAULT_APPARMORFS, &buf) == -1) {
+ return -1;
+ } else {
+ *dir = strdup(DEFAULT_APPARMORFS);
+ if (*dir == NULL)
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+/* bleah the kernel should just loop and do multiple load, but to support
+ * older systems we need to do this
+ */
+#define PROFILE_HEADER_SIZE
+static char header_version[] = "\x04\x08\x00version";
+
+static const char *next_profile_buffer(const char *buffer, int size)
+{
+ const char *b = buffer;
+
+ for (; size - sizeof(header_version); b++, size--) {
+ if (memcmp(b, header_version, sizeof(header_version)) == 0) {
+ return b;
+ }
+ }
+ return NULL;
+}
+
+static int write_buffer(int fd, const char *buffer, int size)
+{
+ int wsize = write(fd, buffer, size);
+ if (wsize < 0) {
+ return -1;
+ } else if (wsize < size) {
+ errno = EPROTO;
+ return -1;
+ }
+ return 0;
+}
+
+/**
+ * write_policy_buffer - load compiled policy into the kernel
+ * @fd: kernel iterface to write to
+ * @atomic: whether to load all policy in buffer atomically (true)
+ * @buffer: buffer of policy to load
+ * @size: the size of the data in the buffer
+ *
+ * Returns: 0 if the buffer loaded correctly
+ * -1 if the load failed with errno set to the error
+ *
+ * @atomic should only be set to true if the kernel supports atomic profile
+ * set loads, otherwise only the 1st profile in the buffer will be loaded
+ * (older kernels only support loading one profile at a time).
+ */
+static int write_policy_buffer(int fd, int atomic,
+ const char *buffer, size_t size)
+{
+ size_t bsize;
+ int rc;
+
+ if (atomic) {
+ rc = write_buffer(fd, buffer, size);
+ } else {
+ const char *b, *next;
+
+ rc = 0; /* in case there are no profiles */
+ for (b = buffer; b; b = next, size -= bsize) {
+ next = next_profile_buffer(b + sizeof(header_version),
+ size);
+ if (next)
+ bsize = next - b;
+ else
+ bsize = size;
+ if (write_buffer(fd, b, bsize) == -1)
+ return -1;
+ }
+ }
+
+ if (rc)
+ return -1;
+
+ return 0;
+}
+
+#define AA_IFACE_FILE_LOAD ".load"
+#define AA_IFACE_FILE_REMOVE ".remove"
+#define AA_IFACE_FILE_REPLACE ".replace"
+
+static int write_policy_buffer_to_iface(aa_kernel_interface *kernel_interface,
+ const char *iface_file,
+ const char *buffer, size_t size)
+{
+ autoclose int fd = -1;
+
+ fd = openat(kernel_interface->dirfd, iface_file, O_WRONLY | O_CLOEXEC);
+ if (fd == -1)
+ return -1;
+
+ return write_policy_buffer(fd, kernel_interface->supports_setload,
+ buffer, size);
+}
+
+static int write_policy_fd_to_iface(aa_kernel_interface *kernel_interface,
+ const char *iface_file, int fd)
+{
+ autofree char *buffer = NULL;
+ int size = 0, asize = 0, rsize;
+ int chunksize = 1 << 14;
+
+ do {
+ if (asize - size == 0) {
+ buffer = (char *) realloc(buffer, chunksize);
+ asize = chunksize;
+ chunksize <<= 1;
+ if (!buffer) {
+ errno = ENOMEM;
+ return -1;
+ }
+ }
+
+ rsize = read(fd, buffer + size, asize - size);
+ if (rsize)
+ size += rsize;
+ } while (rsize > 0);
+
+ if (rsize == -1)
+ return -1;
+
+ return write_policy_buffer_to_iface(kernel_interface, iface_file,
+ buffer, size);
+}
+
+static int write_policy_file_to_iface(aa_kernel_interface *kernel_interface,
+ const char *iface_file, const char *path)
+{
+ autoclose int fd;
+
+ fd = open(path, O_RDONLY);
+ if (fd == -1)
+ return -1;
+
+ return write_policy_fd_to_iface(kernel_interface, iface_file, fd);
+}
+
+/**
+ * aa_kernel_interface_new - create a new kernel_interface from an optional path
+ * @kernel_interface: will point to the address of an allocated and initialized
+ * aa_kernel_interface object upon success
+ * @kernel_features: features representing the currently running kernel
+ * @apparmorfs: path to the apparmor directory of the mounted securityfs (can
+ * be NULL and the path will be auto discovered)
+ *
+ * Returns: 0 on success, -1 on error with errnot set and *@kernel_interface
+ * pointing to NULL
+ */
+int aa_kernel_interface_new(aa_kernel_interface **kernel_interface,
+ aa_features *kernel_features,
+ const char *apparmorfs)
+{
+ aa_kernel_interface *ki;
+ autofree char *alloced_apparmorfs = NULL;
+ char set_load[] = "policy/set_load";
+
+ *kernel_interface = NULL;
+
+ ki = (aa_kernel_interface *) calloc(1, sizeof(*ki));
+ if (!ki) {
+ errno = ENOMEM;
+ return -1;
+ }
+ aa_kernel_interface_ref(ki);
+ ki->dirfd = -1;
+
+ ki->supports_setload = kernel_features ?
+ aa_features_supports(kernel_features, set_load) :
+ false;
+
+ if (!apparmorfs) {
+ if (find_iface_dir(&alloced_apparmorfs) == -1) {
+ int save = errno;
+
+ alloced_apparmorfs = NULL;
+ aa_kernel_interface_unref(ki);
+ errno = save;
+ return -1;
+ }
+ /* alloced_apparmorfs will be autofree'ed */
+ apparmorfs = alloced_apparmorfs;
+ }
+
+ ki->dirfd = open(apparmorfs, O_RDONLY | O_CLOEXEC | O_DIRECTORY);
+ if (ki->dirfd < 0) {
+ int save = errno;
+
+ aa_kernel_interface_unref(ki);
+ errno = save;
+ return -1;
+ }
+
+ *kernel_interface = ki;
+
+ return 0;
+}
+
+/**
+ * aa_kernel_interface_ref - increments the ref count of a kernel_interface
+ * @kernel_interface: the kernel_interface
+ *
+ * Returns: the kernel_interface
+ */
+aa_kernel_interface *aa_kernel_interface_ref(aa_kernel_interface *kernel_interface)
+{
+ atomic_inc(&kernel_interface->ref_count);
+ return kernel_interface;
+}
+
+/**
+ * aa_kernel_interface_unref - decrements the ref count and frees the kernel_interface when 0
+ * @kernel_interface: the kernel_interface (can be NULL)
+ */
+void aa_kernel_interface_unref(aa_kernel_interface *kernel_interface)
+{
+ if (kernel_interface &&
+ atomic_dec_and_test(&kernel_interface->ref_count)) {
+ close(kernel_interface->dirfd);
+ free(kernel_interface);
+ }
+}
+
+/**
+ * aa_kernel_interface_load_policy - load a policy into the kernel
+ * @kernel_interface: valid aa_kernel_interface
+ * @buffer: a buffer containing a policy
+ * @size: the size of the buffer
+ *
+ * Returns: 0 on success, -1 on error with errno set
+ */
+int aa_kernel_interface_load_policy(aa_kernel_interface *kernel_interface,
+ const char *buffer, size_t size)
+{
+ return write_policy_buffer_to_iface(kernel_interface,
+ AA_IFACE_FILE_LOAD, buffer, size);
+}
+
+/**
+ * aa_kernel_interface_load_policy_from_file - load a policy into the kernel
+ * @kernel_interface: valid aa_kernel_interface
+ * @path: path to a policy binary
+ *
+ * Returns: 0 on success, -1 on error with errno set
+ */
+int aa_kernel_interface_load_policy_from_file(aa_kernel_interface *kernel_interface,
+ const char *path)
+{
+ return write_policy_file_to_iface(kernel_interface, AA_IFACE_FILE_LOAD,
+ path);
+}
+
+/**
+ * aa_kernel_interface_load_policy_from_fd - load a policy into the kernel
+ * @kernel_interface: valid aa_kernel_interface
+ * @fd: a pre-opened, readable file descriptor at the correct offset
+ *
+ * Returns: 0 on success, -1 on error with errno set
+ */
+int aa_kernel_interface_load_policy_from_fd(aa_kernel_interface *kernel_interface,
+ int fd)
+{
+ return write_policy_fd_to_iface(kernel_interface, AA_IFACE_FILE_LOAD,
+ fd);
+}
+
+/**
+ * aa_kernel_interface_replace_policy - replace a policy in the kernel
+ * @kernel_interface: valid aa_kernel_interface
+ * @buffer: a buffer containing a policy
+ * @size: the size of the buffer
+ *
+ * Returns: 0 on success, -1 on error with errno set
+ */
+int aa_kernel_interface_replace_policy(aa_kernel_interface *kernel_interface,
+ const char *buffer, size_t size)
+{
+ return write_policy_buffer_to_iface(kernel_interface,
+ AA_IFACE_FILE_REPLACE,
+ buffer, size);
+}
+
+/**
+ * aa_kernel_interface_replace_policy_from_file - replace a policy in the kernel
+ * @kernel_interface: valid aa_kernel_interface
+ * @path: path to a policy binary
+ *
+ * Returns: 0 on success, -1 on error with errno set
+ */
+int aa_kernel_interface_replace_policy_from_file(aa_kernel_interface *kernel_interface,
+ const char *path)
+{
+ return write_policy_file_to_iface(kernel_interface,
+ AA_IFACE_FILE_REPLACE, path);
+}
+
+/**
+ * aa_kernel_interface_replace_policy_from_fd - replace a policy in the kernel
+ * @kernel_interface: valid aa_kernel_interface
+ * @fd: a pre-opened, readable file descriptor at the correct offset
+ *
+ * Returns: 0 on success, -1 on error with errno set
+ */
+int aa_kernel_interface_replace_policy_from_fd(aa_kernel_interface *kernel_interface,
+ int fd)
+{
+ return write_policy_fd_to_iface(kernel_interface, AA_IFACE_FILE_REPLACE,
+ fd);
+}
+
+/**
+ * aa_kernel_interface_remove_policy - remove a policy from the kernel
+ * @kernel_interface: valid aa_kernel_interface
+ * @fqname: nul-terminated fully qualified name of the policy to remove
+ *
+ * Returns: 0 on success, -1 on error with errno set
+ */
+int aa_kernel_interface_remove_policy(aa_kernel_interface *kernel_interface,
+ const char *fqname)
+{
+ return write_policy_buffer_to_iface(kernel_interface,
+ AA_IFACE_FILE_REMOVE,
+ fqname, strlen(fqname) + 1);
+}
+
+/**
+ * aa_kernel_interface_write_policy - write a policy to a file descriptor
+ * @fd: a pre-opened, writeable file descriptor at the correct offset
+ * @buffer: a buffer containing a policy
+ * @size: the size of the buffer
+ *
+ * Returns: 0 on success, -1 on error with errno set
+ */
+int aa_kernel_interface_write_policy(int fd, const char *buffer, size_t size)
+{
+ return write_policy_buffer(fd, 1, buffer, size);
+}
diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
index d0020c7..5b06b54 100644
--- a/libraries/libapparmor/src/libapparmor.map
+++ b/libraries/libapparmor/src/libapparmor.map
@@ -71,6 +71,17 @@ APPARMOR_2.10 {
aa_features_supports_signal;
aa_features_supports_ptrace;
aa_features_supports_diff_encode;
+ aa_kernel_interface_new;
+ aa_kernel_interface_ref;
+ aa_kernel_interface_unref;
+ aa_kernel_interface_load_policy;
+ aa_kernel_interface_load_policy_from_file;
+ aa_kernel_interface_load_policy_from_fd;
+ aa_kernel_interface_replace_policy;
+ aa_kernel_interface_replace_policy_from_file;
+ aa_kernel_interface_replace_policy_from_fd;
+ aa_kernel_interface_remove_policy;
+ aa_kernel_interface_write_policy;
local:
*;
} APPARMOR_2.9;
diff --git a/parser/Makefile b/parser/Makefile
index 120672f..c4a4224 100644
--- a/parser/Makefile
+++ b/parser/Makefile
@@ -75,10 +75,10 @@ SRCS = parser_common.c parser_include.c parser_interface.c parser_lex.c \
parser_yacc.c parser_regex.c parser_variable.c parser_policy.c \
parser_alias.c common_optarg.c lib.c network.c \
mount.cc dbus.cc profile.cc rule.cc signal.cc ptrace.cc \
- af_rule.cc af_unix.cc policy_cache.c kernel_interface.c
+ af_rule.cc af_unix.cc policy_cache.c
HDRS = parser.h parser_include.h immunix.h mount.h dbus.h lib.h profile.h \
rule.h common_optarg.h signal.h ptrace.h network.h af_rule.h af_unix.h \
- policy_cache.h kernel_interface.h
+ policy_cache.h
TOOLS = apparmor_parser
OBJECTS = $(patsubst %.cc, %.o, $(SRCS:.c=.o))
@@ -240,9 +240,6 @@ common_optarg.o: common_optarg.c common_optarg.h parser.h libapparmor_re/apparmo
policy_cache.o: policy_cache.c policy_cache.h parser.h
$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
-kernel_interface.o: kernel_interface.c kernel_interface.h
- $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
-
lib.o: lib.c lib.h parser.h
$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
diff --git a/parser/kernel_interface.c b/parser/kernel_interface.c
deleted file mode 100644
index c046e0e..0000000
--- a/parser/kernel_interface.c
+++ /dev/null
@@ -1,395 +0,0 @@
-/*
- * Copyright (c) 2014
- * Canonical, Ltd. (All rights reserved)
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of version 2 of the GNU General Public
- * License published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, contact Novell, Inc. or Canonical
- * Ltd.
- */
-
-#include <errno.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <sys/apparmor.h>
-#include <unistd.h>
-
-#include "kernel_interface.h"
-#include "lib.h"
-#include "parser.h"
-
-#define DEFAULT_APPARMORFS "/sys/kernel/security/apparmor"
-
-struct aa_kernel_interface {
- unsigned int ref_count;
- bool supports_setload;
- int dirfd;
-};
-
-/**
- * find_iface_dir - find where the apparmor interface is located
- * @dir - RETURNs: stored location of interface director
- *
- * Returns: 0 on success, -1 with errno set if there is an error
- */
-static int find_iface_dir(char **dir)
-{
- if (aa_find_mountpoint(dir) == -1) {
- struct stat buf;
- if (stat(DEFAULT_APPARMORFS, &buf) == -1) {
- return -1;
- } else {
- *dir = strdup(DEFAULT_APPARMORFS);
- if (*dir == NULL)
- return -1;
- }
- }
-
- return 0;
-}
-
-/* bleah the kernel should just loop and do multiple load, but to support
- * older systems we need to do this
- */
-#define PROFILE_HEADER_SIZE
-static char header_version[] = "\x04\x08\x00version";
-
-static const char *next_profile_buffer(const char *buffer, int size)
-{
- const char *b = buffer;
-
- for (; size - sizeof(header_version); b++, size--) {
- if (memcmp(b, header_version, sizeof(header_version)) == 0) {
- return b;
- }
- }
- return NULL;
-}
-
-static int write_buffer(int fd, const char *buffer, int size)
-{
- int wsize = write(fd, buffer, size);
- if (wsize < 0) {
- return -1;
- } else if (wsize < size) {
- errno = EPROTO;
- return -1;
- }
- return 0;
-}
-
-/**
- * write_policy_buffer - load compiled policy into the kernel
- * @fd: kernel iterface to write to
- * @atomic: whether to load all policy in buffer atomically (true)
- * @buffer: buffer of policy to load
- * @size: the size of the data in the buffer
- *
- * Returns: 0 if the buffer loaded correctly
- * -1 if the load failed with errno set to the error
- *
- * @atomic should only be set to true if the kernel supports atomic profile
- * set loads, otherwise only the 1st profile in the buffer will be loaded
- * (older kernels only support loading one profile at a time).
- */
-static int write_policy_buffer(int fd, int atomic,
- const char *buffer, size_t size)
-{
- size_t bsize;
- int rc;
-
- if (atomic) {
- rc = write_buffer(fd, buffer, size);
- } else {
- const char *b, *next;
-
- rc = 0; /* in case there are no profiles */
- for (b = buffer; b; b = next, size -= bsize) {
- next = next_profile_buffer(b + sizeof(header_version),
- size);
- if (next)
- bsize = next - b;
- else
- bsize = size;
- if (write_buffer(fd, b, bsize) == -1)
- return -1;
- }
- }
-
- if (rc)
- return -1;
-
- return 0;
-}
-
-#define AA_IFACE_FILE_LOAD ".load"
-#define AA_IFACE_FILE_REMOVE ".remove"
-#define AA_IFACE_FILE_REPLACE ".replace"
-
-static int write_policy_buffer_to_iface(aa_kernel_interface *kernel_interface,
- const char *iface_file,
- const char *buffer, size_t size)
-{
- autoclose int fd = -1;
-
- fd = openat(kernel_interface->dirfd, iface_file, O_WRONLY | O_CLOEXEC);
- if (fd == -1)
- return -1;
-
- return write_policy_buffer(fd, kernel_interface->supports_setload,
- buffer, size);
-}
-
-static int write_policy_fd_to_iface(aa_kernel_interface *kernel_interface,
- const char *iface_file, int fd)
-{
- autofree char *buffer = NULL;
- int size = 0, asize = 0, rsize;
- int chunksize = 1 << 14;
-
- do {
- if (asize - size == 0) {
- buffer = (char *) realloc(buffer, chunksize);
- asize = chunksize;
- chunksize <<= 1;
- if (!buffer) {
- errno = ENOMEM;
- return -1;
- }
- }
-
- rsize = read(fd, buffer + size, asize - size);
- if (rsize)
- size += rsize;
- } while (rsize > 0);
-
- if (rsize == -1)
- return -1;
-
- return write_policy_buffer_to_iface(kernel_interface, iface_file,
- buffer, size);
-}
-
-static int write_policy_file_to_iface(aa_kernel_interface *kernel_interface,
- const char *iface_file, const char *path)
-{
- autoclose int fd;
-
- fd = open(path, O_RDONLY);
- if (fd == -1)
- return -1;
-
- return write_policy_fd_to_iface(kernel_interface, iface_file, fd);
-}
-
-/**
- * aa_kernel_interface_new - create a new kernel_interface from an optional path
- * @kernel_interface: will point to the address of an allocated and initialized
- * aa_kernel_interface object upon success
- * @kernel_features: features representing the currently running kernel
- * @apparmorfs: path to the apparmor directory of the mounted securityfs (can
- * be NULL and the path will be auto discovered)
- *
- * Returns: 0 on success, -1 on error with errnot set and *@kernel_interface
- * pointing to NULL
- */
-int aa_kernel_interface_new(aa_kernel_interface **kernel_interface,
- aa_features *kernel_features,
- const char *apparmorfs)
-{
- aa_kernel_interface *ki;
- autofree char *alloced_apparmorfs = NULL;
- char set_load[] = "policy/set_load";
-
- *kernel_interface = NULL;
-
- ki = (aa_kernel_interface *) calloc(1, sizeof(*ki));
- if (!ki) {
- errno = ENOMEM;
- return -1;
- }
- aa_kernel_interface_ref(ki);
- ki->dirfd = -1;
-
- ki->supports_setload = kernel_features ?
- aa_features_supports(kernel_features, set_load) :
- false;
-
- if (!apparmorfs) {
- if (find_iface_dir(&alloced_apparmorfs) == -1) {
- int save = errno;
-
- alloced_apparmorfs = NULL;
- aa_kernel_interface_unref(ki);
- errno = save;
- return -1;
- }
- /* alloced_apparmorfs will be autofree'ed */
- apparmorfs = alloced_apparmorfs;
- }
-
- ki->dirfd = open(apparmorfs, O_RDONLY | O_CLOEXEC | O_DIRECTORY);
- if (ki->dirfd < 0) {
- int save = errno;
-
- aa_kernel_interface_unref(ki);
- errno = save;
- return -1;
- }
-
- *kernel_interface = ki;
-
- return 0;
-}
-
-/**
- * aa_kernel_interface_ref - increments the ref count of a kernel_interface
- * @kernel_interface: the kernel_interface
- *
- * Returns: the kernel_interface
- */
-aa_kernel_interface *aa_kernel_interface_ref(aa_kernel_interface *kernel_interface)
-{
- atomic_inc(&kernel_interface->ref_count);
- return kernel_interface;
-}
-
-/**
- * aa_kernel_interface_unref - decrements the ref count and frees the kernel_interface when 0
- * @kernel_interface: the kernel_interface (can be NULL)
- */
-void aa_kernel_interface_unref(aa_kernel_interface *kernel_interface)
-{
- if (kernel_interface &&
- atomic_dec_and_test(&kernel_interface->ref_count)) {
- close(kernel_interface->dirfd);
- free(kernel_interface);
- }
-}
-
-/**
- * aa_kernel_interface_load_policy - load a policy into the kernel
- * @kernel_interface: valid aa_kernel_interface
- * @buffer: a buffer containing a policy
- * @size: the size of the buffer
- *
- * Returns: 0 on success, -1 on error with errno set
- */
-int aa_kernel_interface_load_policy(aa_kernel_interface *kernel_interface,
- const char *buffer, size_t size)
-{
- return write_policy_buffer_to_iface(kernel_interface,
- AA_IFACE_FILE_LOAD, buffer, size);
-}
-
-/**
- * aa_kernel_interface_load_policy_from_file - load a policy into the kernel
- * @kernel_interface: valid aa_kernel_interface
- * @path: path to a policy binary
- *
- * Returns: 0 on success, -1 on error with errno set
- */
-int aa_kernel_interface_load_policy_from_file(aa_kernel_interface *kernel_interface,
- const char *path)
-{
- return write_policy_file_to_iface(kernel_interface, AA_IFACE_FILE_LOAD,
- path);
-}
-
-/**
- * aa_kernel_interface_load_policy_from_fd - load a policy into the kernel
- * @kernel_interface: valid aa_kernel_interface
- * @fd: a pre-opened, readable file descriptor at the correct offset
- *
- * Returns: 0 on success, -1 on error with errno set
- */
-int aa_kernel_interface_load_policy_from_fd(aa_kernel_interface *kernel_interface,
- int fd)
-{
- return write_policy_fd_to_iface(kernel_interface, AA_IFACE_FILE_LOAD,
- fd);
-}
-
-/**
- * aa_kernel_interface_replace_policy - replace a policy in the kernel
- * @kernel_interface: valid aa_kernel_interface
- * @buffer: a buffer containing a policy
- * @size: the size of the buffer
- *
- * Returns: 0 on success, -1 on error with errno set
- */
-int aa_kernel_interface_replace_policy(aa_kernel_interface *kernel_interface,
- const char *buffer, size_t size)
-{
- return write_policy_buffer_to_iface(kernel_interface,
- AA_IFACE_FILE_REPLACE,
- buffer, size);
-}
-
-/**
- * aa_kernel_interface_replace_policy_from_file - replace a policy in the kernel
- * @kernel_interface: valid aa_kernel_interface
- * @path: path to a policy binary
- *
- * Returns: 0 on success, -1 on error with errno set
- */
-int aa_kernel_interface_replace_policy_from_file(aa_kernel_interface *kernel_interface,
- const char *path)
-{
- return write_policy_file_to_iface(kernel_interface,
- AA_IFACE_FILE_REPLACE, path);
-}
-
-/**
- * aa_kernel_interface_replace_policy_from_fd - replace a policy in the kernel
- * @kernel_interface: valid aa_kernel_interface
- * @fd: a pre-opened, readable file descriptor at the correct offset
- *
- * Returns: 0 on success, -1 on error with errno set
- */
-int aa_kernel_interface_replace_policy_from_fd(aa_kernel_interface *kernel_interface,
- int fd)
-{
- return write_policy_fd_to_iface(kernel_interface, AA_IFACE_FILE_REPLACE,
- fd);
-}
-
-/**
- * aa_kernel_interface_remove_policy - remove a policy from the kernel
- * @kernel_interface: valid aa_kernel_interface
- * @fqname: nul-terminated fully qualified name of the policy to remove
- *
- * Returns: 0 on success, -1 on error with errno set
- */
-int aa_kernel_interface_remove_policy(aa_kernel_interface *kernel_interface,
- const char *fqname)
-{
- return write_policy_buffer_to_iface(kernel_interface,
- AA_IFACE_FILE_REMOVE,
- fqname, strlen(fqname) + 1);
-}
-
-/**
- * aa_kernel_interface_write_policy - write a policy to a file descriptor
- * @fd: a pre-opened, writeable file descriptor at the correct offset
- * @buffer: a buffer containing a policy
- * @size: the size of the buffer
- *
- * Returns: 0 on success, -1 on error with errno set
- */
-int aa_kernel_interface_write_policy(int fd, const char *buffer, size_t size)
-{
- return write_policy_buffer(fd, 1, buffer, size);
-}
diff --git a/parser/kernel_interface.h b/parser/kernel_interface.h
deleted file mode 100644
index 8e210d1..0000000
--- a/parser/kernel_interface.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (c) 2014
- * Canonical, Ltd. (All rights reserved)
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of version 2 of the GNU General Public
- * License published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, contact Novell, Inc. or Canonical
- * Ltd.
- */
-
-#ifndef __AA_KERNEL_INTERFACE_H
-#define __AA_KERNEL_INTERFACE_H
-
-#include <sys/apparmor.h>
-
-#include "features.h"
-
-typedef struct aa_kernel_interface aa_kernel_interface;
-
-int aa_kernel_interface_new(aa_kernel_interface **kernel_interface,
- aa_features *kernel_features,
- const char *apparmorfs);
-aa_kernel_interface *aa_kernel_interface_ref(aa_kernel_interface *kernel_interface);
-void aa_kernel_interface_unref(aa_kernel_interface *kernel_interface);
-
-int aa_kernel_interface_load_policy(aa_kernel_interface *kernel_interface,
- const char *buffer, size_t size);
-int aa_kernel_interface_load_policy_from_file(aa_kernel_interface *kernel_interface,
- const char *path);
-int aa_kernel_interface_load_policy_from_fd(aa_kernel_interface *kernel_interface,
- int fd);
-int aa_kernel_interface_replace_policy(aa_kernel_interface *kernel_interface,
- const char *buffer, size_t size);
-int aa_kernel_interface_replace_policy_from_file(aa_kernel_interface *kernel_interface,
- const char *path);
-int aa_kernel_interface_replace_policy_from_fd(aa_kernel_interface *kernel_interface,
- int fd);
-int aa_kernel_interface_remove_policy(aa_kernel_interface *kernel_interface,
- const char *fqname);
-int aa_kernel_interface_write_policy(int fd, const char *buffer, size_t size);
-
-#endif /* __AA_KERNEL_INTERFACE_H */
diff --git a/parser/parser.h b/parser/parser.h
index 50f5bb0..f4566b9 100644
--- a/parser/parser.h
+++ b/parser/parser.h
@@ -30,10 +30,11 @@
#include <libintl.h>
#define _(s) gettext(s)
+#include <sys/apparmor.h>
+
#include "immunix.h"
#include "libapparmor_re/apparmor_re.h"
#include "libapparmor_re/aare_rules.h"
-#include "kernel_interface.h"
#include <string>
diff --git a/parser/parser_interface.c b/parser/parser_interface.c
index f864cd8..5d9e0a0 100644
--- a/parser/parser_interface.c
+++ b/parser/parser_interface.c
@@ -27,9 +27,9 @@
#include <string>
#include <sstream>
+#include <sys/apparmor.h>
#include "lib.h"
-#include "kernel_interface.h"
#include "parser.h"
#include "profile.h"
#include "libapparmor_re/apparmor_re.h"
diff --git a/parser/parser_main.c b/parser/parser_main.c
index b230a91..8fb7394 100644
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@@ -41,7 +41,6 @@
#include "lib.h"
#include "features.h"
-#include "kernel_interface.h"
#include "parser.h"
#include "parser_version.h"
#include "parser_include.h"
diff --git a/parser/parser_policy.c b/parser/parser_policy.c
index 0652715..5e4add6 100644
--- a/parser/parser_policy.c
+++ b/parser/parser_policy.c
@@ -27,11 +27,11 @@
#include <search.h>
#include <string.h>
#include <errno.h>
+#include <sys/apparmor.h>
#include "parser.h"
#include "profile.h"
#include "parser_yacc.h"
-#include "kernel_interface.h"
/* #define DEBUG */
#ifdef DEBUG
--
2.1.4
More information about the AppArmor
mailing list